Rules Navigator

Regulators switch focus to CCOs

Building blocks with one labelled compliance at the top
Photo: Getty Images

Jennie Clarke

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Recent cases show understanding who is responsible for what is becoming more important than ever.

In February 2022, FINRA issued compliance officer Arnold Feist with a $25,000 fine and a two-month suspension for failing to oversee his employer’s anti-money-laundering (AML) program. FINRA found that Feist, an AML compliance officer, had failed to familiarize himself with his firm’s day-to-day operations and had failed to supervise its AML analysts. Feist also “took no steps to investigate or address” the firm’s surveillance and review process around AML.

In the case of Feist, it appears this was not wilful bad practice, but that he laid dormant; not proactive ill-will, but instead a lack of action and understanding. In a letter between FINRA and Feist, it was noted that despite having learned about the company’s AML controls, he did not recognize that it was insufficient, and failed to see that it wasn’t detecting or reporting suspicious activity within the firm. As such, the regulator held him personally responsible.

SMCR

Of course, when it comes to regulatory focus for roles, responsibilities and ultimate accountability, the wheels were set firmly in motion with the introduction of the Senior Managers and Certification Regime (SMCR) in 2008. But while debate continues as to whether the SMCR is actually working, broader industry focus around individual accountability for CCOs is hard to avoid in 2022. FINRA’s action against Feist was just the tip of the iceberg.

Fast forward four months to June 2022, and the CCO focus continued to dominate regulatory proceedings and issuances. The UK’s Law Commission published an Options Paper for the government, including measures to widen the scope of liabilities between corporations and senior managers. Concurrently, the New York City Bar (NYCB) issued a Framework for Chief Compliance Officer Liability within Financial Services.

“Fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs.”

Hester Peirce, SEC Commissioner

SEC Commissioner Hester Peirce took this opportunity to reflect on the landscape for CCO accountability, setting out how the Framework could operate in practice, with a series of eight questions that should be asked in all instances. Her comments came as the SEC published administrative action against a CCO who had been made aware of non-compliant activity but failed to take sufficient remedial action for over a year. The CCO was banned from acting in a supervisory or compliance capacity for at least five years, and received a $15,000 fine.

Commissioner Peirce used this enforcement as a test case for the NYCB’s proposed Liability Framework to establish whether charging a CCO would “help fulfil the SEC’s regulatory goals”. This isn’t always an easy question – especially in cases where the misconduct isn’t necessarily wilful.

In creating a CCO accountability framework there arises a “difficult question of distinguishing conduct that is only ‘debatably inappropriate’ from conduct that is ‘wildly inappropriate’”, Peirce said.

Transparency

New frameworks for increased accountability of CCOs and senior management follow a wave of increased transparency measures for financial services. While accountability is important, these proposals come with disadvantages. In an industry that often struggles to recruit and retrain highly skilled compliance staff, greater accountability measures could act as further deterrent. As Commissioner Peirce acknowledged at the time, “fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs”. 

Unjustified liability for CCOs should be avoided at all costs, but direct accountability for missteps will play a significant role in the future financial services – one that is moving to prioritize openness and information sharing – from ESG and D&I disclosures through to justifying bonuses for execs. In September, the SEC issued yet another enforcement action against a CCO – this time requiring them to undergo 30 hours of training, to align them with regulatory expectations.

Bad compliance sticks. CCOs have rare misfortune where, if they get their job wrong, the whole industry will likely know about it through regulatory press releases or otherwise. That reputation will often follow you from job to job. Put this alongside frequent lack of resource, challenges in accessing data and the siloed nature of the compliance function – it’s a wonder there are any CCOs left at all.

Having holistic oversight and auditable trails of roles and responsibilities will ensure you know where to turn where things go awry.

How can a CCO’s life be made easier? And how can they avoid personal accountability woes? Whether driven by SMCR or simply by best practice, firms should understand who is responsible for what, from the top down. Having holistic oversight and auditable trails of roles and responsibilities will ensure you know where to turn where things go awry.

In the case of bad actors, having watertight surveillance of end-to-end operations will mitigate gaps and minimize opportunity for non-compliant activity to go unnoticed. Having processes in place that demonstrate proactive compliance also shows willing. Regulators will be more forgiving where you can show that you tried.

Finally, avoid risk at all costs – whether it’s third-party risk or otherwise. Simplify and consolidate your compliance functions, know where your gaps exist and take active steps to resolve them … do not bury your head in the sand. Bad compliance will not resolve itself and regulators are unforgiving of dormant CCOs.

, , , , ,

You may also like